The Agency confirms that Facebook treats data, even specially protected, for advertising purposes without obtaining consent and does not completely cancel the information of the users when it is no longer useful for the purpose for which it was collected or when they request it.
The Spanish Agency for Data Protection (AEPD) has issued resolution in the proceedings to the company Facebook to analyze whether the data processing carried out by the social network are adapted to the rules of data protection. The Agency declares the existence of two serious infringements and one very serious of the Organic Law on Data Protection (LOPD) and imposes on Facebook a penalty of 1,200,000 euros -300,000 for each of the first and 600,000 for the second.
In the framework of the research, the AEPD has verified that Facebook collects data on ideology, sex, religious beliefs, personal tastes or navigation without clearly informing about the use and purpose that it will give them. Specifically, it has verified that the social network treats specially protected data for publicity purposes, among others, without obtaining the express consent of the users as required by data protection regulations, a violation classified as very serious in the LOPD.
The investigation has also allowed us to verify that Facebook does not inform users in an exhaustive and clear way about the data that will collect and the treatments that will be carried out with them, but is limited to give some examples. In particular, the social network collects other data derived from the interaction carried out by users on the platform and on third-party sites without them being able to clearly perceive the information that Facebook collects about them or for what purpose they will use it .
Consequently, the Agency considers that Facebook does not adequately collect the consent of either its users or those who are not – and whose data it also treats, which constitutes a serious infringement.
Finally, the Agency has been able to verify that Facebook does not eliminate the information that it collects from the habits of navigation of the users , but retains and reuses it later associated with the same user. Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the EDPSconsiders that the personal data of the users are not canceled in their entirety or when they are no longer useful for the purpose for which they were collected nor when the user explicitly requests their removal, according to the requirements of the LOPD, which represents a serious offense.
Given the changes introduced by Facebook in its terms and conditions of use in January 2015, several Data Protection Authorities of the European Union, including the AEPD , formed a Contact Group * through which to coordinate their actions . These authorities have developed their respective investigation procedures in accordance with the provisions of their national legal systems.
* The Contact Group is composed of the Data Protection Authorities of Belgium, Spain, France, Hamburg (Germany) and the Netherlands.